The Hacker News — Cyber Security, Hacking, Technology News

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company's Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)

Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.

However, there are significant risks of increased facility cost that must be addressed.

Understanding Blockchain and Crypto Mining

Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming "mining pools" where collections of computers work together to calculate the hash.

The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It's this search for more compute resources that have led some miners to exploit enterprise and cloud networks.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.

Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.

The Risk Crypto Mining Poses to the Enterprise

Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.

Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

How To Protect Against Crypto Mining

Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.

The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.

Approach 1: Blocking Unencrypted Stratum Sessions with DPI

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.

A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.

{"id": 1, "method": "mining.subscribe", "params": []}

Three parameters are used in a subscription request message when joining a pool.

Approach 2: Blocking Public Mining Pool Addresses

However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.

Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.

To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:

Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page

Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.

IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.

Cato Research Labs Publishes List of Mining Pool Addresses

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.

Final Thoughts

The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.

Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization's data.

Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there's always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

One of the most common network security solutions is the branch firewall. Branch firewall appliances can pack into a single device a wide range of security capabilities including a stateful or next-generation firewall, anti-virus, URL filtering, and IDS/IPS.

But the reality is that most of these edge devices lack the processing power to apply the full scope of capabilities on all of the necessary traffic.

If the firewall deployed in the branch cannot scale to address critical security needs, an alternative strategy must be used. Wholesale appliance upgrades are easy but expensive. Regional security hubs are complex and also costly.

A new approach, called firewall bursting, leverages cloud scalability to offer an easier, more cost-effective alternative to branch office security. (You can find a great table comparing the different Firewall approaches here.)

Costly Appliance Upgrades and Secure Hub Architectures

The existing methods of evolving branch security force IT into a tough trade-off: the cost and complexity of managing appliance sprawl or the complexities of a two-tier network security architecture.

Upgrading all branch firewalls to high-performance, next-generation branch firewalls improve network security, no doubt. Branch offices gain more in-depth packet inspection and more protections to be applied on more traffic. This is a relatively straightforward, but very costly, solution to achieving stronger security.

Aside from the obvious, the firewall upgrade cost, there are also the costs of operating and maintaining the appliance, which includes forced upgrades. Sizing branch firewall appliances correctly can be tricky.

The appliance needs enough power to support the mix of security services across all traffic—encrypted and unencrypted—for the next three to five years.

Alone that would be complex, but the constantly growing traffic volumes only complicate that forecast. And encrypted traffic, which has become the new norm of virtually all Internet traffic, is not only growing but must be first decrypted, exacting a heavy processing toll on the appliance.

All of which means that IT ends up either paying more than necessary to accommodate growth or under provision and risk compromising the company’s security posture.

Regional hubs avoid the problems with upgrading all branch firewalls. Instead, organizations continue with their branch routers and firewalls, but backhaul all traffic to a larger firewall with public Internet access, typically hosted in a regional co-location hub.

The regional hub enables IT to maintain minimal branch security capabilities while benefitting from advanced security.

However, regional hubs bring their own problems. Deployment costs increase as regional hubs must be built out at significant hosting expense and equipment cost. And we’re not just speaking about throwing up an appliance in some low-grade hosting facility.

Hub outages impact not just one small office but the entire region. They need to be highly available, resilient, run the up-to-date software, and maintained by expert staff.

Even then, there are still the same problems of forced upgrades due to increased traffic volume and encrypted traffic share, this time, though, of only the hub firewall appliances.

The network architecture is also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, but multiple hubs must be deployed in geographically dispersed regions or those regions with a high concentration of branches.

In short, while the number of firewall instances can be reduced, regional hubs introduce a level of complexity and cost often too excessive for many organizations.

Firewall Bursting: Stretching your Firewalls to the Cloud

Cloud computing offers a new way to solve the edge firewall dilemma. With "cloud bursting," enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.

Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is minimized where firewall capacity is constrained, and advanced security is applied in the cloud, where resources are scalable and elastic.

The on-premise firewall handles basic packet forwarding, but anything requiring "heavy lifting," such as decryption, anti-malware or IPS, is sent to the cloud. This avoids forced branch firewall upgrades.

Firewall bursting is similar to the regional hub approach, but with a key difference: the IT team isn't responsible for building and running the hubs. Hubs are created, scaled, and maintained by the cloud service provider.

Who Delivers Firewall Bursting Capabilities?

Secure web gateways (SWGs) delivered as cloud services, can provide firewall bursting for Internet traffic. However, since firewalls need to apply the same inspection to WAN traffic, SWGs only offer a partial solution.

Purpose-built, global Firewall as a Service (FWaaS) is another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.

While the PoPs are distributed, they act "together" as a single logical firewall instance. The PoPs are highly redundant and resilient, and in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.

The PoPs are capable of processing very large volumes of WAN and Internet traffic. Because adding processing capacity either within PoPs or by adding new PoPs is transparent to customers, you don't have to adjust policies or reconfigure your environment to accommodate changes in load or traffic mix.

Before getting removed from the list of FIPS-approved pseudorandom number generation algorithms in January 2016, ANSI X9.31 RNG was included into various cryptographic standards over the last three decades.

Pseudorandom number generators (PRNGs) don’t generate random numbers at all. Instead, it is a deterministic algorithm that produces a sequence of bits based on initial secret values called a seed and the current state. It always generates the same sequence of bits for when used with same initial values.

Some vendors store this 'secret' seed value hard-coded into the source code of their products, leaving it vulnerable to firmware reverse-engineering.

Using both values in hand, attackers can then use them to re-calculate the encryption keys, allowing them to recover encrypted data that could 'include sensitive business data, login credentials, credit card data and other confidential content.'

"In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4." researchers said.

"Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS."

Here below you can check a partial list (tested by researchers) of affected devices from various vendors:

The security researchers have released a brief blog post and technical researcher paper on a dedicated website for DUHK attack.

One of the most devastating aspects of the recent WannaCry ransomware attack was its self-propagating capability exploiting a vulnerability in the file access protocol, SMB v1.

Most enterprises defences are externally-facing, focused on stopping incoming email and web attacks. But, once attackers gain a foothold inside the network through malware, there are very few security controls that would prevent the spread of the attack between enterprise locations in the Wide Area Network (WAN).

This is partly due to the way enterprises deploy security tools, such as IPS appliances, and the effort needed to maintain those tools across multiple locations.

Cato Networks is a cloud-based, SD-WAN service provider that uniquely integrates network security into its SD-WAN offering.

The Cato IPS is fully converged with Cato’s other security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection.

With the IPS roll out, Cato continues its march towards providing secure networking everywhere while simplifying the overall IT stack for the enterprise.

Cato Networks IPS as a Service

With IPS as a service, Cato takes care of the work previously spent managing and maintaining the IPS appliances including sizing, capacity planning, patching, and signature management.

These are a complex task because IPS appliance performance is impacted by the mix of encrypted and unencrypted traffic and the number of active attack signatures.

Normally, IT professionals must spend time carefully calculating the effectiveness of a signature and its performance impact to avoid slowing-down traffic due to IPS appliance overload.

Cato addresses both issues. The Cato IPS leverages its elastic cloud platform to inspect any mix of encrypted and unencrypted traffic in real-time.

The decision of which signatures to deploy is made by the experts of Cato Research Labs. They consider the relevancy of the threat and the best way to describe it to the system. Often, an existing signature may already cover a specific attack vector.

New Kind of Signatures With Context-Aware Protection

The Cato IPS has another unique capability. Because it operates in the same software stack as all other network and security services and within a cloud network, it can access a rich set of context attributes.

This forms a foundation for very sophisticated signatures that are hard to compose with stand-alone IPS devices. The use of rich context makes Cato IPS signatures more accurate and more effective.

Context attributes include the application being accessed and the client being used to access it, user identity, geolocation, IP and domain reputation, the file type exchanged, and DNS activity associated with the session.

Cato shared on its blog how Cato IPS stopped the spread of the Wannacry ransomware across sites, and how Cato IPS detected command-and-control communication at one of its customer locations.

Interestingly, the IPS can extend its protection across sites and users without the need to deploy distributed appliances, another benefit of the system.

If you are a distributed enterprise and constraint by your ability to support a complex networking and security environment, Cato’s approach can improve your security posture while keeping overhead to a minimum.

Disclosure: This is a sponsored post from Cato Networks, and it is really coming at a great time because we were just thinking to share with you about how to prevent Wannacry like attacks from spreading across the enterprise networks.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Admit it. Who would not want their firewall maintenance grunt work to go away?

For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them.

This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider (MSSP).

The provider assumed the management of the firewall box, its software, and even its policy and management from the over-burdened IT team. But customers ended up paying for the inefficiency of dealing with appliances (i.e. “grunt work”) because the problem just shifted to the provider. A new architecture was needed - a transformation from an appliance form factor to a true cloud service.

He defined FWaaS as “...a firewall delivered as a cloud-based service or hybrid solution (that is, cloud plus on-premises appliances). The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure”

Recently, in the 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls), the analysts reference a Gartner client survey indicating 14% of respondents were likely (8%) or very likely (6%) to consider moving all the firewall security functions to FWaaS.

FWaaS isn't merely packaging of legacy appliances into a managed service. It is challenging the decades-old concept of the appliance as the primary form factor to deliver network security capabilities.

What is an FWaaS?

FWaaS offers a single logical firewall that is available anywhere, seamlessly scales to address any traffic workload, enforces unified policy, and self-maintained by a cloud provider.

Let’s look at these elements in more detail.

• Single, global firewall instance — One firewall instance for the entire global organization is radically different than the current architecture that places a network security stack at each location, a regional hub or a datacenter.

With FWaaS every organizational resource (data center, branch, cloud infrastructure or a mobile user) plugs into the FWaaS global service and leverages all of its security capabilities (application control, URL filtering, IPS, etc).

IT teams no longer need complex sizing processes to determine the appliance capacity needed to plan for today’s business requirements and future growth.

For example, the increase in SSL traffic volume pressures appliance processing capacity and can force unplanned. FWaaS can scale to accommodate these needs without disrupting the customer’s business operations.

• Enforcing a unified policy — A single firewall, by design, has a single security policy. While legacy appliance vendors created centralized management consoles to ease managing distributed appliances, IT must still consider the individual firewalls instances per location and often customize policies to the locations’ unique attributes.

In heterogenous firewall environments (often created due to M&A) security policy is hard to configure and enforce increasing exposure to hackers and web-borne threats. Contrast that with a single cloud-based firewall that uniformly applies the security policy on all traffic, for all locations and users.

• Self-maintained — One of the most painful aspects of firewall management is maintaining the software through patches and upgrades. It is a risky process that could impact business connectivity and security.

Many IT teams tend to skip or completely avoid software upgrades, leaving enterprise exposed. Because the cloud-based firewall software is maintained by the FWaaS provider and is shared by all customers, the firewall is kept up to date by quickly fixing vulnerabilities and bugs, and rapidly evolving with new features and capabilities that the customers can immediately access.

FWaaS is bringing genuine relief to overburdened IT teams within enterprises and service providers. Instead of wasting cycles on sizing, deploying, patching, upgrading and configuring numerous edge devices, work can now shift to delivering true security value to the business through early detection and fast mitigation of true risk.

FWaaS Providers

FWaaS is not a mere concept. It has been deployed in production deployments and by several vendors.Cato Networks is a provider of the Cato Cloud, built from the ground up to deliver Firewall as a Service.

Cato provides an optimized, global SD-WAN, ensuring resilient connectivity to its FWaaS in from all regions of the world. Cato can completely eliminate edge firewalls by inspecting both WAN and Internet-bound traffic. The Cato Cloud FWaaS further extends to mobile users and cloud datacenters.

Zscaler provides FWaaS for Internet-bound traffic from remote branches and mobile users. To secure WAN traffic, customers must rely on other means.

Palo Alto Networks recently announced a similar service. It uses its next generation firewall within a cloud service to protect users, whether in remote locations or mobile, accessing the Internet.

FWaaS is a viable alternative for IT teams that waste time and money to sustain their distributed edge firewall environments — the so-called appliance sprawl.

With FWaaS, they can now reduce the operational and capital expense of upgrading and refreshing appliances as well as the attack surface resulting from delayed patches and unmitigated vulnerabilities.

By simplifying the network security architecture, FWaaS makes IT more productive and the business secure.

Online Privacy has been one of the biggest challenges in today's interconnected world, as the governments across the world have been found censoring the Internet, stealing information and conducting mass surveillance on innocent people.

China is one such nation which always wanted to have a tight hold on its citizen and has long been known for its strict Internet censorship laws through the Great Firewall of China.

The Great Firewall of China is the nation's Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign news and social media sites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay.

So, in order to thwart these restrictions and access blocked websites, hundreds of millions of Chinese citizens rely on virtual private networks (VPNs) which route their traffic to servers overseas free of the Great Firewall filters, but this may not be an option soon.

GreenVPN, one of the most popular VPN services in China, notified its customers on Monday that the company would stop its VPN service from July 1st, following orders by "regulatory departments" to cease its operation, Bloomberg reported.

However, not just GreenVPN, some users also stated that they were unable to use SuperVPN, another popular VPN service on their smartphones over the weekend, although it is unclear whether the service was down to a glitch or the government restrictions.

This restriction could be part of new rules by the China's Ministry of Industry and Information Technology announced at the beginning of this year, making it illegal to use or operate local VPNs without government approval from the government.

According to the ministry, "all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal."

This crackdown on VPN services has been designed to "strengthen cyberspace information security management," as said by the Chinese ministry.

Recently released NSA exploit from "The Shadow Brokers" leak that affects older versions of Cisco System firewalls can work against newer models as well.

Dubbed ExtraBacon, the exploit was restricted to versions 8.4.(4) and earlier versions of Cisco's Adaptive Security Appliance (ASA) – a line of firewalls designed to protect corporate, government networks and data centers.

However, the exploit has now been expanded to 9.2.(4) after researchers from Hungary-based security consultancy SilentSignal were able to modify the code of ExtraBacon to make it work on a much newer version of Cisco's ASA software.

Both Cisco and Fortinet have confirmed their firewalls are affected by exploits listed in the Shadow Brokers cache that contained a set of "cyber weapons" stolen from the Equation Group.

The Equation Group is an elite hacking group tied to the NSA's offensive Tailored Access Operations (TAO) and linked to the previous infamous Regin and Stuxnet attacks.

As previously reported, the ExtraBacon exploit leveraged a zero-day vulnerability in the Simple Network Messaging Protocol (SNMP) code of Cisco’s ASA software that could allow "an unauthenticated, remote attacker to cause a reload of the affected system" and take full control of a firewall.

However, newly released exploit means that ExtraBacon poses a dangerous threat than previously thought, as the modified exploit now does not prevent it from running on newer versions of Cisco firewalls, allowing an attacker to execute malicious code remotely.

"We have test equipment and custom firmware images that make debugging easier," Varga-Perke of SilentSignal told Ars. "These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands."

Cisco engineers have provided workarounds that help ASA customers detect and stop ExtraBacon-powered attacks, though the multi-billion dollar company has yet to release software updates to address the flaw completely.

Just like researchers modified the exploit code to make it work on newer version of Cisco products, the hacking tools and exploits dumped by the Shadow Brokers could be exploited by a wide range of hackers to carry out advanced attacks.

Last week, a group calling itself "The Shadow Brokers" published what it said was a set of NSA "cyber weapons," including some working exploits for the Internet's most crucial network infrastructure, apparently stolen from the agency's Equation Group in 2013.

Well, talking about the authenticity of those exploits, The Intercept published Friday a new set of documents from the Edward Snowden archive, which confirms that the files leaked by the Shadow Brokers contain authentic NSA software and hacking tools used to secretly infect computers worldwide.

As I previously mentioned, the leaked documents revealed how the NSA was systematically spying on customers of big technology companies like Cisco, Fortinet, and Juniper for at least a decade.

After a thorough investigation, Cisco confirmed the authenticity of these exploits, saying that these hacking tools contain exploits that leverage two security vulnerabilities affecting Cisco ASA software designed to protect corporate and government networks and data centers.

ExtraBacon Zero-Day Cisco Exploit

A zero-day vulnerability (CVE-2016-6366) leveraged by ExtraBacon Exploit resides in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow "an unauthenticated, remote attacker to cause a reload of the affected system," Cisco explained in its advisory.

This leads to remote code execution (RCE) vulnerability, enabling a remote attacker to take complete control over the device.

ExtraBacon was a zero-day exploit that was unknown to Cisco that left customers open to attack by hackers, in this case, NSA as well, who possessed the right hacking tools.

Besides ExtraBacon zero-day exploit, Cisco researchers also found a piece of code that tried to exploit an older Cisco bug (CVE-2016-6367) that was patched in 2011.

The flaw resided in the command-line interface (CLI) parser of Cisco ASA software that allowed "an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code [on the vulnerable device]," Cisco explained.

This flaw was included inside two NSA exploits, dubbed EPICBANANA as well as JETPLOW, which is an enhanced version of EPICBANANA, but with better persistence capabilities, Cisco's Omar Santos said in a blog post.

In addition, the leaked data contains files for decrypting Cisco PIX Virtual Private Network (VPN) traffic, and implanting malware in computer motherboard firmware in such a way that it's almost impossible to detect or delete.

The multi-billion dollar tech firm has provided workarounds that addressed the vulnerabilities, though planned to release software updates to address the issues completely as soon as possible.

Fortinet says, Exploits Disclosed in 'NSA hack' are Legit

Meanwhile, another firewall equipment vendor, Fortinet, also warned of a high-risk vulnerability included in the EGREGIOUSBLUNDER exploit leaked by The Shadow Brokers, which affects older versions of its FortiGate firewalls.

The flaw resides in the onboard cookie parser buffer that could allow an attacker to take over an affected device by sending a specially crafted HTTP request.

Fortinet recommended its customers and businesses to upgrade to FortiGuard versions 5.x. However, Juniper has yet to issue security advisories based on the leaked files in the data dump.

Who is the 'The Shadow Brokers'? Russia? An Insider?

How the files containing exploits were leaked, and who exactly leaked it, are still unclear, but the recent developments made it very much clear that these exploits belong to the NSA and the agency was using them to target customers worldwide.

The Shadow Brokers' identity is still a mystery: As for now, multiple theories have been proposed.

Some are pointing their fingers towards Russia; some are saying it's an insider's job; while some say the NSA hacker using the hacking tools failed to clean up after an operation that allowed someone to grab them without compromising or hacking the agency.

In Brief

Investigators from the Forensic Training Institute of the Bangladesh investigated the $80 Million bank heist and discovered that the hackers managed to gain access to the network because the Bank was using second-hand $10 network switches without a Firewall to run its network.

When it was reported last month that an unknown hacking group attempted to steal $1 Billion from Bangladesh's Federal Reserve bank account with the help of a malware and, in fact, successfully stole over $80 Million, the investigators would not say how the hackers managed to bypass the security solutions on its network.

But in reality, there was no security solution installed to help protect against increasingly sophisticated attacks.

This lack of security practices made it incredibly easier for the hackers to break into the system and steal $81 Million, though a simple typo (spell error) by hackers halted the further transfers of the $850 Million funds.

The network computers that were linked through the second-hand routers were connected to the SWIFT global payment network, allowing hackers to gain access to the credentials required to make high-value transfers straight into their own accounts.

"It could be difficult to hack if there was a firewall," forensic investigator Mohammad Shah Alam told Reuters.

Firewall are meant to help keep out malicious hackers and malware from doing nasty things.

Moreover, the use of cheap routers made it difficult for investigators to pinpoint the hackers behind the largest bank heist and figure out the hackers tactics, Alam added.

The investigator blamed both the bank as well as SWIFT, saying "It was their responsibility to point it out, but we have not found any evidence that they advised before the heist."

Hackers broke into the bank's systems and tried to steal $1 Billion from its account at the Federal Reserve Bank of New York in early February and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.

Bangladesh police have identified 20 foreigners involved in the heist but the police said the people appear to be those who received some of the payments rather than the hackers who initially stole the money.

Though the investigators are still scratching their heads to identify the hackers with no clue, the incident is a good reminder for financial institutions across the global to tighten up the security of their systems.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Juniper Networks has announced that it has discovered "unauthorized code" in ScreenOS, the operating system for its NetScreen firewalls, that could allow an attacker to decrypt traffic sent through Virtual Private Networks (VPNs).

It's not clear what caused the code to get there or how long it has been there, but the release notes posted by Juniper suggest the earliest buggy versions of the software date back to at least 2012 and possibly earlier.

The backdoor impacts NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, states the advisory published by the company. However, there's no evidence right now that whether the backdoor was present in other Juniper OSes or devices.

The issue was uncovered during an internal code review of the software, according to Juniper chief information officer Bob Worrall, and requires immediate patching by upgrading to a new version of the software just released today.

"Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Worrall said.

How Does the Backdoor Occur?

The backdoor occurred due to a pair of critical vulnerabilities:

First allows anyone to decrypt VPN traffic and leave no trace of their actions

Second allows anyone to complete compromise a device via an unauthorized remote access vulnerability over SSH or telnet.

In short, an attacker could remotely log-in to the firewall with administrator privileges, decrypt and spy on thought-to-be-secure traffic, and then even remove every trace of their activity.

Sounds awful, although Juniper claims the company has not heard of any exploitation in the wild so far and released patched versions of Screen OS that are available now on its download page.

Firewalls are the front-line soldiers, who sit strategically at the edge of your network and defend it from various security threats. Firewalls require constant maintenance and management to ensure that they are accurately configured for optimal security, continuous compliance, and high performance.

Manual firewall configuration and change management is a time-consuming, error-prone, and headache-fraught task, especially in today’s increasingly complex and dynamic networks and, for organizations dealing with dozens, or very commonly, hundreds of individual firewalls, routers and other network security devices, manual configuration and ongoing ACL changes can quickly become a management nightmare.

If not managed correctly, organizations can find themselves exposed to dangerous cyber threats and compliance risks, which can lead to costly repercussions.

The key to keeping up with ever-changing and ever-growing firewall rule-sets is automation.By automating firewall configuration and change analysis, organizations can achieve not only stronger security, but significant operational efficiencies.

A network-aware firewall analysis tool is the best solution to perform intelligent analysis and reporting around security rules across all firewall and layer 3 devices in the network. One such tool is Firewall Security Manager (FSM) from SolarWinds.

SolarWinds Firewall Security Manager (FSM) is a great solution, offered by an excellent and well-respected company, for the organizations and companies who need expert management and reporting on their most critical security devices. Installing and configuring the product is relatively straight forward and multiple clients can be deployed, allowing more than one administrator to access the system concurrently.

Multi-Vendor Firewall Management

SolarWinds Firewall Security Manager (FSM) gives Network and Security administrators an easy-to-use, yet comprehensive tool to view and manage all firewall configurations, rules, objects, interfaces, and problems in one place, even if they are from multiple vendors.

With SolarWinds FSM, administrators get in-depth insight into multi-vendor firewalls and Layer 3 network security devices to ensure the right security policies are in place to keep the network and its critical assets (i.e. sensitive data) protected. It ensures the right traffic gets through and the wrong traffic is kept out.

FSM examines how the combination of ACL rules, address translations, routing tables, VPN tunnels, and anti-spoof settings all work together to allow or deny services through the firewall. It leverages more than 120 customizable,out-of-the-box checks based on industry standards, including NSA, NIST, SANS, and CIS. Each check has an associated severity (high, medium or low). The Security Audit report lists all of the policy checks that were flagged (meaning a potential risk was identified), prioritized by criticality.

Firewall Change Management

Managing and tracking firewall changes manually is difficult, time-consuming, and prone to human error. SolarWinds Firewall Security Manager mitigates these issues with powerful built-in tools to automate the change management process. It leverages intelligent, predictive change modeling to allow the user to evaluate the impact of proposed changes before making the change.

“It creates a separate environment, called the Change Modeling Session, where changes can be safely made and tested before going live on the production environment.” SolarWinds FSM website explained.

Rule Clean-up & Optimization

Firewall Security Manager’s rule cleanup and optimization capabilities identify unnecessary, unused or conflicting firewall rules that can be safely removed. It does this by assessing the rule structure, relationships, and rule usage data to find duplicate, unused, and order-dependent rules. Using the rule usage data, an optimized rule order for improved firewall performance is suggested. It also identifies network and service objects that are not referenced by any ACL or NAT rules and are candidates for removal from the configuration.

FSM goes a step further than just identifying which rules can be safely removed; it generates the change script to be applied to the firewall. It’s this intelligent, automated rule cleanup that increases firewall performance and maximizes rule-set efficiency, while reducing errors and enhancing security.

Security and Compliance Reporting

SolarWinds FSM also provides out-the-box security and compliance reports that can be scheduled and customized to an organization’s needs. Built-in reports include:

The dashboard delivers all the essential information needed—both at a high-level and a drill-down detailed level—to identify and rapidly resolve vital issues. It includes critical alerts, configuration change logs, as well as the ability to view and export an array of security and compliance reports. And, all of this can be accomplished with point-and-click simplicity.

It should also be noted that SolarWinds Firewall Security Manager integrates with SolarWinds Network Configuration Manager for extended security and compliance management capabilities, including change detection and alerts, automated backups of firewall configurations, and bulk change deployment.

Conclusion

In all, SolarWinds Firewall Security Manager is an ideal solution for simplifying and streamlining firewall management in today’s ever-evolving IT infrastructures. The end result is stronger security and compliance, enhanced firewall performance, and time-saving/cost-saving operational efficiencies.

Last year in the month of December the Security-focused Unix-like distribution 'OpenBSD' Foundation announced that it was facing shut down due to lack of funds to pay their electricity bills and dedicated Internet line costs.

Theo de Raadt, the founder of the OpenBSD project, and Bob Beck (Developer) announced:
"In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut down if we do not have the funding to keep the lights on."

Just after a month, a Bitcoin billionaire from Romania has stepped in and sorted OpenBSD out! Mircea Popescu, the creator of the MPEx Bitcoin stock exchange has offered $20,000 donations to the OpenBSD Foundation and saved the existence of OpenBSD development from being stopped.

Like each open source project, OpenBSD production servers were funded by donations from individuals or organization. This operating system had reached to an edge where its sustainability was in question.

Funding issues are not new to the OpenBSD project. In 2006, it faced a similar issue, i.e. was running at a $20,000 loss each year.

The OpenBSD developed at the University of California, Berkeley, is the most important name in UNIX derivatives, which is a core component for developing firewalls, Microsoft’s services for UNIX, Windows Core Security Force and other propriety systems.

OpenBSD itself has built in cryptography and packet filtering suit, which is used in firewall, IDS, VPN gateways.

The OpenBSD Foundation has now raised $100,000 and still trying to raise money against its 2014 target i.e. $150,000 to continue to sponsor hackathons and other development efforts.

Google has found that the French government agency using unauthorized digital certificates for some of its own domains to perform man-in-the-middle attacks on a private network.

Google security engineer Adam Langley described the incident as a "Serious Security breach", which was discovered in early December. Rogue digital certificates that had been issued by French certificate authority ANSSI, who closely work with the French Defense agency.

Google has immediately blocked the misused intermediate certificate and updated Chrome’s certificate revocation list to block all dodgy certificates issued by the French authority.

In a statement, ANSSI said that the intermediate CA certificate was used to inspect encrypted traffic with the user's knowledge on a private network with a commercial device i.e. Snooping on its own users’ Internet usage.

According to the, the inspection of SSL traffic on their own networks can help organizations prevent data leaks or discover malicious connections initiated by malware.

It could be a critical threat if one such signed certificate was ever fall into the wrong hands. Microsoft warned that, "An attacker could use these certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against a large number of Google-owned domains, including google.com and youtube.com."

Last year, a Turkish certificate authority called 'Turktrust' was revealed to have issued two subordinate certificates for the domain gmail.com, and that these certificates had been used to intercept Gmail users’ traffic.

NSA is also alleged to have used man-in-the-middle attacks through unauthorized certificates against Google in the past. Google said, "We're now working to bring this extra protection to more users who are not signed in."

Users in Iran call Internet as "Filternet", because of the heavily censored Internet access they have. Million Iranians used VPN servers to access the outside world.

In October, 2013 Jack Dorsey, the co-founder of Twitter asked Iranian President, 'Are citizens of Iran able to read your tweets?' In Reply Mr. The President said that he will work to make sure Iranians have access to information globally in what appears to be a reference to reducing online censorship.

Just after promising to support Internet Freedom, the Iran Government has banned yet another web application called - Cryptocat, a tool that allows for secure and encrypted chat.

The app is well known for bringing encrypted communications to the masses, popular with human rights activists and journalists around the world.

According to 'Blockediniran.com', Cryptocat website and the associated private chat service were inaccessible to our users in Iran. Currently since Monday.

'It currently appears that Cryptocat is the first and only encrypted chat application to be censored in Iran.' blog post says.

'Cryptocat’s main objective is to provide easy to use, accessible private chat around the world. We will do everything we can to allow our users in Iran access to Cryptocat, along with the rest of the world.'

But Iranian users still can use Cryptocat. The team provided their chat service via the Tor network on a hidden deep web website 'catmeow2zuqpkpyw.onion' , can be accessed using Tor software only.

'We’re doing the best we can, and we believe that Cryptocat offers legitimate privacy by employing impressive encryption measures.'

Possibly, The Cryptocat service was used by some political groups, that the Iranian government was targeting. Other such encrypted apps are still working and not banned yet in Iran. Cryptocat is available for Mac, as well as a plugin for Chrome and Firefox, now includes the Tor censorship circumvention technology built-in.

CryptoLockeris an especially insidious form of Ransomeware malware that was first detected in the wild in September 2013, restricts access to infected computers and requires victims to pay a ransom in order to regain full access.

What makes CryptoLocker so bad is the way it encrypts the user data on your hard drive using a strong encryption method. This makes it literally impossible to access your own data without paying the ransom amount to the criminals between $100 and $300 or two Bitcoins, even now more.

Once affected you will be locked out of your computer and unless you pay the ransom amount in 72 hours , the virus will delete the decryption key to decrypt all the files on your PC .

The malware lands on PCs the same way other malware does and a few sensible precautions will help minimize the chances of a CrytoLocker attack.

Yesterday, we reported that - UK's National Crime Agency has given out an urgent national alert that a mass spamming event targeting 10 million UK based email users with CryptoLocker.What if your computer gets compromised? Currently there is no option to decrypt the files without the decryption key and brute forcing a file encrypted with 2048 bit encryption is almost impossible. If you don’t pay the ransom, you forever lose access to everything you’ve been working on which is stored on your computer.

A few things you can do to prevent your PC from getting infected with the CryptoLocker virus:

Most viruses are introduced by opening infected attachments or clicking on links to malware usually contained in spam emails. Avoid opening emails and attachments from unknown sources, especially zip or rar archive files.

Most people have some anti-virus program, but how do you know it’s effective? Ensure you have best one active and up-to-date.

Also keep your operating system and software up-to-date.

Keep a backup. If you have a real-time backup software then make sure that you first clean the computer and then restore the unencrypted version of the files.

Create files in the Cloud and upload photos to online accounts like Flickr or Picasa.

Windows 7 users should set up the System Restore points or, if you are using Windows 8, configure it to keep the file history.

Make sure you have reformatted your hard drive to completely remove the CryptoLocker trojan before you attempt to re-install Windows and/or restore your files from a backup.

There are many free tools now available in the community, that can help users to protect their systems from this malware.

1.) CryptoPrevent tool, created by American security expert Nick Shaw.

This tool applies a number of settings to your installation of Windows that prevents CryptoLocker from ever executing and has been proven to work in Windows XP and Windows 7 environments.

2.) HitmanPro.Alert 2.5, a free utility that will help you to protect your computer against the CryptoLocker ransomware malware.

HitmanPro.Alert 2.5 contains a new feature, called CryptoGuard that monitors your file system for suspicious operations. When suspicious behavior is detected, the malicious code is neutralized and your files remain safe from harm.

Intrusion prevention systems can block the communications protocol send from the Cryptolocker infected system to the remote command-and-control server where the malware retrieves the key to encrypt the files. Blocking the communications can prevent the encryption from taking place.

Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate.

By the time you notice that something`s wrong, your perimeter has already been breached, your servers were brought down, and there is little left to do but to hang up and move on.

So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser? Some common bot filtering methods, which usually rely on sets of Progressive Challenges, are absolutely useless against bots that can retain cookies and execute JavaScripts.

The alternative to indiscriminately flashing CAPTCHA’s for anyone with a browser is nothing less than a self-inflicted disaster - especially when the attacks can go on for weeks at a time.

To demonstrate how these attacks can be stopped, here's a case study of an actual DDoS event involving such browsers; an attack which employed a swarm of human-like bots which would – under most circumstances - result in a complete and total disaster.

Browser-based Botnet: Attack Methodology

The attack was executed by an unidentified botnet, which employed browser-based bots that were able to retain cookies and execute JavaScript. Early in the attack they were identified as PhantomJS headless-browsers.

PhantomJSis a development tool that uses a bare-bone (or "headless") browser, providing its users with full browsing capabilities but no user interface, no buttons, no address bar, etc. PhantomJS’s can be used for automation and load monitoring.

The attack lasted for over 150 hours, during which we recorded malicious visits from over 180,000 attacking IPs worldwide. In terms of volumes, the attack peaked at 6,000 hits/second for an average of +690,000,000 hits a day. The number of attacking IPs, as well as their geographical variety, led us to believe that this might have been a coordinated effort, involving more than one botnet at a time.

More than one Botnet?

Throughout the duration of the attack we dealt with 861 different user-agent variants as the attackers constantly modified the header structure to try and evade our defenses. Most commonly, the attackers were using different variants of Chrome, Opera and FireFox user-agents.

Most active attacking IPs.

It is interesting to note that, besides using human-like bots, the attackers also made an effort to mimic human behavior, presumably to avoid behavior-based security rules. To that end, the attackers leveraged the number of available IP addressed to split the load in a way that would not trigger rate-limiting. At the same time, by constantly introducing new IPs, the attackers made sure that the IP restriction would be just as ineffective. The bots were also programmed for human-like browsing patterns; accessing the sites from different landing pages and moving through them at a random pace and varied patterns, before converging on the target resource.

Methods of Mitigation

Incapsula’s Layer 7 security perimeter uses a combination of filtering methods, which create several defensive layers around the protected website or web application.

In this case the nature of the attacking bots allowed them to successfully bypass Progressive Challenges. As mentioned, the botnet’s shepherds also went to great length to evade our Abnormality Detection mechanisms, which they were able to do – at least to some extent.

However, by using a known headless-browser, the attackers left themselves open to detection by our Client Classification mechanism, which – interestingly enough – uses the same technology as our free plan 'Bot Filtering' feature.

Our Client Classification algorithms rely on a crowd-sourced pool of known signatures, consisting of information gathered from across our network. At the time of the attack, the signature pool held over 10,000,000 signature variants, each of them containing an information about:

User-agent

IPs and ASN info

HTTP Headers

JavaScript footprint

Cookie/Protocol support variations

In the context of browser-based visitors, this means that we are looking not only at the more apparent factors (like user-agent or their correlation to origin IPs), but also at the intricate nuances that exist within each browser.

Security is a closed hand game, so it would be hard to explain this without exposing some of our methods. Still, to provide some context, we can say that (on the low end) this means looking at minor differences in the way browsers handle encoding, respond to specific attributes, etc. For example, we can learn about our visitors from the way their browser handles HTTP Headers with double spacing or special characters.

The point is, our database holds tens of thousands of variants for each known browser or bot, to cover all possible scenarios (e.g., browsing using different desktop or handheld devices, going through proxies, etc.). Best of all, in this case, the attacker's weapon of choice - the PhantomJS webkit - is one of those signatures.

Fortune favors the prepared

And so, while the attacker were ducking and diving to make their bots look like humans, all our team really had to do was to let our system discover the type of headless-browsers they were using. From there it was a simple task of blocking all PhantomJS instances. We even left a redemption option, offering the visitors to fill a CAPTCHA, just in case any of them were real human visitors.

Not surprisingly, no such CAPTCHAs were filled.

1 DDoS blocked.

Aftermath

The attacks continued past the point of mitigation. Days later, after we switched to auto-pilot, the attackers were still trying to come at us with new user-agents and new IPs, obviously oblivious to the real reason for their blockage. However, for all their T-1000s-like relentlessness, they were already iced. Their cover was blown and their methods, signatures and patterns were internally recorded for future reference.